System and methodology providing automation security analysis, validation, and learning in an industrial controller environment

ABSTRACT

The present invention relates to a system and methodology facilitating automation security in a networked-based industrial controller environment. Various components, systems and methodologies are provided to facilitate varying levels of automation security in accordance with security analysis tools, security validation tools and/or security learning systems. The security analysis tool receives abstract factory models or descriptions for input and generates an output that can include security guidelines, components, topologies, procedures, rules, policies, and the like for deployment in an automation security network. The validation tools are operative in the automation security network, wherein the tools perform security checking and/or auditing functions, for example, to determine if security components are in place and/or in suitable working order. The security learning system monitors/learns network traffic patterns during a learning phase, fires alarms or events based upon detected deviations from the learned patterns, and/or causes other automated actions to occur.

REFERENCE TO RELATED APPLICATION(S)

This application is a continuation of, and claims priority to, U.S.patent application Ser. No. 10/661,696, filed on Sep. 12, 2003, andentitled “SYSTEM AND METHODOLOGY PROVIDING AUTOMATION SECURITY ANALYSIS,VALIDATION, AND LEARNING IN AN INDUSTRIAL CONTROLLER ENVIRONMENT,” whichclaims the benefit of U.S. Provisional Patent Application Ser. No.60/420,006, filed Oct. 21, 2002, and entitled “SYSTEM AND METHODOLOGYPROVIDING AUTOMATION SECURITY IN AN INDUSTRIAL CONTROLLER ENVIRONMENT.”The entireties of these related applications are incorporated herein byreference.

TECHNICAL FIELD

The present invention relates generally to industrial control systems,and more particularly to a system and methodology to facilitateelectronic and network security in an industrial automation system.

BACKGROUND OF THE INVENTION

Industrial controllers are special-purpose computers utilized forcontrolling industrial processes, manufacturing equipment, and otherfactory automation, such as data collection or networked systems. Inaccordance with a control program, the industrial controller, having anassociated processor (or processors), measures one or more processvariables or inputs reflecting the status of a controlled system, andchanges outputs effecting control of such system. The inputs and outputsmay be binary, (e.g., on or off), as well as analog inputs and outputsassuming a continuous range of values.

Measured inputs received from such systems and the outputs transmittedby the systems generally pass through one or more input/output (I/O)modules. These I/O modules serve as an electrical interface to thecontroller and may be located proximate or remote from the controllerincluding remote network interfaces to associated systems. Inputs andoutputs may be recorded in an I/O table in processor memory, whereininput values may be asynchronously read from one or more input modulesand output values written to the I/O table for subsequent communicationto the control system by specialized communications circuitry (e.g.,back plane interface, communications module). Output modules mayinterface directly with one or more control elements, by receiving anoutput from the I/O table to control a device such as a motor, valve,solenoid, amplifier, and the like.

At the core of the industrial control system, is a logic processor suchas a Programmable Logic Controller (PLC) or PC-based controller.Programmable Logic Controllers for instance, are programmed by systemsdesigners to operate manufacturing processes via user-designed logicprograms or user programs. The user programs are stored in memory andgenerally executed by the PLC in a sequential manner althoughinstruction jumping, looping and interrupt routines, for example, arealso common. Associated with the user program are a plurality of memoryelements or variables that provide dynamics to PLC operations andprograms. These variables can be user-defined and can be defined asbits, bytes, words, integers, floating point numbers, timers, countersand/or other data types to name but a few examples.

Various remote applications or systems often attempt to update and/oracquire PLC information or related device information via a plurality ofdifferent, competing and often incompatible or insecure networktechnologies. A major concern with this type of access to PLC's andcontrol systems in general, relates to the amount of security that isprovided when sending or receiving data to and from the PLC and/orassociated equipment. In most factories or industrial environments,complex and sometimes dangerous operations are performed in a givenmanufacturing setting. Thus, if a network-connected controller wereinadvertently accessed, or even worse, intentional sabotage were tooccur by a rogue machine or individual, potentially harmful results canoccur.

One attempt at providing security in industrial control systems relatesto simple password protection to limit access to the systems. This cantake the form of a plant or controls Engineer or Administrator enteringan alpha-numeric string that is typed by an operator each time access isattempted, wherein the controller grants access based on a successfultyping of the password. These type passwords are highly prone to attackor discovery, however. Often times, users employ passwords that arerelatively easy to determine (e.g., person's name or birthday).Sometimes, users exchange passwords with other users, whereby thepassword is overheard or simply, a user with improper authorizationcomes in contact with the password. Even if a somewhat higher level ofsecurity is provided, parties employing sophisticated hacking techniquescan often penetrate sensitive control systems, whereby access should belimited to authorized users and/or systems in order to mitigatepotentially harmful consequences.

SUMMARY OF THE INVENTION

The following presents a simplified summary of the invention in order toprovide a basic understanding of some aspects of the invention. Thissummary is not an extensive overview of the invention. It is intended toneither identify key or critical elements of the invention nor delineatethe scope of the invention. Its sole purpose is to present some conceptsof the invention in a simplified form as a prelude to the more detaileddescription that is presented later.

The present invention relates to a system and methodology to facilitatenetwork and/or automation device security in an industrial automationenvironment. Various systems and methodologies are provided to promotesecurity across and/or within networks and in accordance with differentautomation device capabilities. In one aspect of the present invention,a Security Analysis Methodology (SAM) and tool provides an automatedprocess, component, and tool that generates a set (or subset) ofsecurity guidelines, security data, and/or security components. An inputto the tool can be in the form of an abstract description or model of afactory, wherein the factory description includes one or more assets tobe protected and associated pathways to access the assets. Security datagenerated by the tool includes a set of recommended security components,related interconnection topology, connection configurations, applicationprocedures, security policies, rules, user procedures, and/or userpractices, for example.

SAM can be modeled on a risk-based/cost-based approach, if desired. Asuitable level of protection can be determined to facilitate integrity,privacy, and/or availability of assets based on risk and/or cost. Inaddition, descriptions of shop floor access, Intranet access, Internetaccess, and/or wireless access can also be processed by the tool. Sincemultiparty involvement can be accommodated (IT, Manufacturing,Engineering, etc.), the tool can be adapted for partitioned securityspecification entry and sign-off. The security data of the SAM tool canbe generated in a structured security data format (e.g., XML, SQL) thatfacilitates further validation and compliance checking of the securitydata, if desired.

In another aspect of the present invention, a security ValidationMethodology and associated tools can be provided. The validation toolsperform initial and periodic live security assessment of a physicalsystem. This enables security flaws or weaknesses to be identified. Oneaspect of the tools is to check a system prior to security modificationsin order to assess current security levels. Another aspect is to check asystem for conformance—either to recommendations of a security analysis,and/or against standards such as ISO, for example. The validation toolscan be executed on end devices (host based), and/or executed as anindependent device that is operatively coupled to a network (networkbased) at selected points. One function of host-validation tools is toperform vulnerability scanning and/or auditing on devices. This includesrevision checks, improper configuration check, filesystem/registry/database permissions check, user privilege/passwordand/or account policy checks, for example.

One function of the network validation tools is to perform vulnerabilityscanning and auditing on the networks. This includes checking forsusceptibility to common network-based attacks, searching for openTCP/UDP ports, and scanning for vulnerable network services. The toolscan also attempt to gain key identity information about end devices thatmay enable hacker entry. Another function of the network validationtools is to perform vulnerability scanning and auditing on firewalls,routers, and/or other network/security devices. In addition, acomplementary tool can be provided to assess CIP-based factoryautomation systems for security. This will typically be a network-basedtool, since factory automation devices often are not as capable asgeneral purpose computing devices. The tool can also be operable in anassessment mode to discover system flaws with little or noconfiguration, and the tool can operate in a validation mode to checksystem security against security analysis methodology determinationsdescribed above. Still yet other functions can include non-destructivelymapping a topology of IT and automation devices, checking revisions andconfigurations, checking user attributes, and/or checking access controllists. The validation tools described herein can also be adapted toautomatically correct security problems (e.g., automatically adjustsecurity parameters/rules/policies, install new security components,remove suspicious components, and so forth).

According to another aspect of the present invention, a SecurityLearning system is provided that can include network-based aspectsand/or host-based aspects and similar to some of the security aspectsdescribed above with respect to the Validation tools. A network-basedsecurity learning system (also referred to as learning component) isprovided that monitors an automation network during a predeterminedtraining period (e.g., monitor network activities for 1 week). Duringthe training period, the learning component monitors and learnsactivities or patterns such as: the number of network requests to andfrom one or more assets; the type of requests (e.g., read/write,role/identity of person/system requesting access, time of requests);status or counter data (e.g., network access counters, error codes)which can be provided or queried from a learning or status componentwithin the asset; and/or monitor and learn about substantially any datatype or pattern that may be retrieved from the network and/or the asset.

After the training period, the learning component monitors theautomation network and/or assets for detected deviations from datapatterns learned during the training period. If desired, a userinterface can be provided, wherein one or more pattern thresholds can beadjusted (also can provide options for the type of data patterns tomonitor/learn). For example, if the number of network requests to theasset has been monitored and learned to be about 1000 requests per hourduring the past month, then a threshold can be set via the userinterface that triggers an alarm or causes an automated event to occurif a deviation is detected outside of the threshold (e.g., automaticallydisable all network requests from the other networks if the number ofnetwork requests to the asset exceeds 10% of the average daily networkrequests detected during the training period).

Various learning functions and/or processes can be provided tofacilitate automated learning within the learning components. This caninclude mathematical processes, statistical processes, functions, and/oralgorithms and include more elaborate systems such as a neural network,for example. In addition, artificial intelligence functions, componentsand/or processes can be provided. Such components can include automatedclassifiers for monitoring and learning data patterns, wherein suchclassifiers include inference models, Hidden Markov Models (HMM),Bayesian models, Support Vector Machines (SVM), vector-based models,decision trees, and the like.

The following description and the annexed drawings set forth in detailcertain illustrative aspects of the invention. These aspects areindicative, however, of but a few of the various ways in which theprinciples of the invention may be employed and the present invention isintended to include all such aspects and their equivalents. Otheradvantages and novel features of the invention will become apparent fromthe following detailed description of the invention when considered inconjunction with the drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic block diagram illustrating automation securitytools in accordance with an aspect of the present invention.

FIG. 2 is a schematic block diagram illustrating a security analysistool in accordance with an aspect of the present invention.

FIG. 3 is a diagram illustrating an example security analyzer inaccordance with an aspect of the present invention.

FIG. 4 is a diagram illustrating an example security analysis schema inaccordance with an aspect of the present invention.

FIG. 5 is a diagram illustrating a validation system, methodology, andsecurity validation tools in accordance with an aspect of the presentinvention.

FIG. 6 is a schematic block diagram illustrating a validation analyzerin accordance with an aspect of the present invention.

FIG. 7 is a schematic block diagram illustrating a security learningsystem in accordance with an aspect of the present invention.

FIG. 8 is a diagram illustrating a learning component in accordance withan aspect of the present invention.

FIG. 9 is a schematic block diagram illustrating a learning analyzer inaccordance with an aspect of the present invention.

FIG. 10 is a flow diagram illustrating security analysis processing inaccordance with an aspect of the present invention.

FIG. 11 is a flow diagram illustrating security validation processing inaccordance with an aspect of the present invention.

FIG. 12 is a flow diagram illustrating security learning and detectionprocessing in accordance with an aspect of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

The present invention relates to a system and methodology facilitatingautomation security in a networked-based industrial controllerenvironment. Various components, systems and methodologies are providedto facilitate varying levels of automation security in accordance withsecurity analysis tools, security validation tools and/or securitylearning systems. The security analysis tool receives abstract factorymodels or descriptions for input and generates an output that caninclude security guidelines, components, topologies, procedures, rules,policies, and the like for deployment in an automation security network.The validation tools are operative in the automation security network,wherein the tools perform security checking and/or auditing functions,for example, to determine if security components are in place and/or insuitable working order. The security learning system monitors/learnsnetwork traffic patterns during a learning phase, fires alarms or eventsbased upon detected deviations from the learned patterns, and/or causesother automated actions to occur.

It is noted that as used in this application, terms such as “component,”“tool,” “analyzer, ” and the like are intended to refer to acomputer-related entity, either hardware, a combination of hardware andsoftware, software, or software in execution as applied to an automationsystem for industrial control. For example, a component may be, but isnot limited to being, a process running on a processor, a processor, anobject, an executable, a thread of execution, a program and a computer.By way of illustration, both an application running on a server and theserver can be components. One or more components may reside within aprocess and/or thread of execution and a component may be localized onone computer and/or distributed between two or more computers,industrial controllers, and/or modules communicating therewith.

Referring initially to FIG. 1, a system 100 illustrates variousautomation security tools in accordance with an aspect of the presentinvention. One or more automation assets 120 communicate and cooperatewith various network devices 124 across a network 130. The automationassets 120 include substantially any type of control, communicationsmodule, computer, I/O device, Human Machine Interface (HMI)) thatcommunicate via the network 130 which includes control, automation,and/or public networks. In one example, the automation assets 120include Programmable Logic Controllers (PLC) that can also communicateto and control various other assets such as Input/Output modulesincluding Analog, Digital, Programmed/Intelligent I/O modules, otherprogrammable controllers, communications modules, and the like. Thenetwork 130 includes public networks such as the Internet, Intranets,and automation networks such as Control and Information Protocol (CIP)networks including DeviceNet and ControlNet. Other networks 130 includeEthernet, DH/DH+, Remote I/O, Fieldbus, Modbus, Profibus, wirelessnetworks, serial protocols, and so forth. In addition to the automationassets 120, the network devices 124 include various possibilities(hardware and/or software components). These include components such asswitches with virtual local area network (VLAN) capability, LANs, WANs,proxies, gateways, routers, firewalls, virtual private network (VPN)devices, intrusion detection systems, servers, clients, computers,configuration tools, monitoring tools, and/or other devices.

According to one aspect of the present invention, various security toolscan be provided with the system 100. Although three tools areillustrated, it is to be appreciated that more or less than three toolscan be employed with the present invention and in a plurality of similaror different combinations. In one aspect, a security analysis tool 140is provided that receives factory input data 144 describing or modelingvarious aspects of the automation assets 120, network devices 124,network 130, and/or system 100. The security analysis tool 140 processesthe factory input data 144 and generates security output data 150 whichis then deployed to machines and/or users in order to facilitatesuitable network security measures and practices in the system 100. Aswill be described in more detail below, such measures can includesecurity recommendations, configuration guidelines or adjustments,procedures, rules, policies, and security parameters, for example, thatare utilized to mitigate unwanted intrusions or attacks from the network130 that may affect the automation assets 120 and/or network devices124.

In another aspect of the present invention, one or more validation tools160 can be provided (can be host and/or networked based) that performautomated security auditing and checking functions on the network 130,the automation assets 120, and/or network devices 124 to determine ifsuitable security standards have been implemented. The validation toolsalso perform periodic or monitored assessments within the system 100 todetermine if potential network threats or attacks are at hand. As willbe described in more detail below, this can include automated and/orhealing operations to mitigate network security threats. In anotheraspect of the present invention, one or more learning tools 170 can beprovided (can also be host and/or networked based) that learn systemactivities or patterns during a training or configuration period, thenperform automated actions in response to detected deviations from thelearned activities or patterns. Such automated actions can includealtering network activity (e.g., preventing further network attempts toautomation assets or network devices) and firing an alarm such as ane-mail or pager to notify an entity (user and/or machine) of a potentialor detected problem.

It is noted that the security tools 140, 150 and/or 160 can share orexchange information between tools. For example, the security analysistool 140 can receive input from the validation tool 160 (e.g., three newnetwork devices detected in topology), wherein the security analysistool generates new or adjusted security output data 150 in responsethereto. It is further noted that one or more of the automation assets120 may directly access the network 130 and/or may employ the networkdevices 124 to achieve network access.

Turning to FIG. 2, a security analysis tool 200 is illustrated inaccordance with an aspect of the present invention. The securityanalysis tool 200 operates on a computer or workstation and receives oneor more factory inputs 210 that can be generated from a plurality ofsources. Such sources can include user input, model input (e.g., assetmodels, network models), schemas, formulas, equations, maps, and codes,for example. The factory inputs 210 are then processed by the securityanalysis tool 200 to generate one or more security outputs 220 which canalso be provided in various forms such as manuals, documents, schemas,executables, codes, e-mails, and/or other electronic data that isdescribed in more detail below. As illustrated, a Graphical UserInterface 230 (GUI) or interface application can be provided to interactwith the security analysis tool 200, factory inputs 210, and/or securityoutputs 220. This can include substantially any type of application thatsends, retrieves, processes, and/or manipulates factory input data 210,receives, displays, formats, and/or communicates security output data220, and/or facilitates operation of the security analysis tool 200. Forexample, such interfaces 230 can also be associated with an engine,editor tool or web browser although other type applications can beutilized. The GUI 230 includes a display 234 having one or more displayobjects (not shown) including such aspects as configurable icons,buttons, sliders, input boxes, selection options, menus, tabs and soforth having multiple configurable dimensions, shapes, colors, text,data and sounds to facilitate operations with the security analysis tool200. In addition, the GUI 230 can also include a plurality of otherinputs 240 or controls for adjusting and configuring one or more aspectsof the present invention. This can include receiving user commands froma mouse, keyboard, speech input, web site, remote web service and/orother device such as a camera or video input to affect or modifyoperations of the GUI 230.

Referring now to FIG. 3, an example security analyzer 300 is illustratedin accordance with an aspect of the present invention. The securityanalyzer 300 can be an automated process, application, component, and/ortool that generates a set of security guidelines or security data 310and executes a Security Analysis Method (SAM) in accordance with thepresent invention. An input to the security analyzer 300 is an abstractdescription of a factory depicted as factory data 320. The factory data320 can describe or model one or more automation assets to be protectedand associated network pathways to access the assets. Other factory data320 can include risk data, cost data, security feedback from othersecurity tools, network access patterns, and partitioning data, forexample. Security data 310 generated by the security analyzer 300includes a set of recommended security components, relatedinterconnection topology, connection configurations, applicationprocedures, security policies, rules, user procedures, and/or userpractices, for example, that is employed to guide users and adaptsystems with various security measures.

The Security Analysis Method noted above, and security analyzer 300 canalso be modeled on a risk-based/cost-based approach, if desired. Asuitable level of protection can be determined to facilitate integrity,privacy, and/or availability of assets based on risk and/or cost. Thus,security parameters, policies, and procedures, for example, can beincreased if lower security risks and associated costs are desired,whereas security measures can be decreased if higher risks and/or costsassociated with network attacks or intrusions are deemed acceptable. Inaddition, descriptions of shop floor access, Intranet access, Internetaccess, wireless access and/or other network access patterns can also bedescribed as factory data 320 and processed by the security analyzer300. Since multiple party involvement can be accommodated (e.g., IT,Manufacturing, Engineering, etc.), the security analyzer 300 can beadapted for partitioned security specification entry and sign-off. Thesecurity data 310 can be generated in a structured security data format(e.g., XML, SQL) that facilitates further validation and compliancechecking of the security data, if desired. As illustrated, a securityanalysis schema 330 which is described in more detail below, can bederived from the security data 310 and can be provided to other entitiessuch as users or machines for further securityprocessing/implementations.

FIG. 4 illustrates an exemplary schema that may be employed for securitydeployments, communications, and configurations in accordance with thepresent invention. Although the schema represents one possible manner inwhich to transfer data to and from an entity such as a user, interface,file, an automation component and associated network devices, it is tobe appreciated that other possible data transfer mechanisms may beemployed. For example, data can be transmitted in the form of binary orother type data packets that convey information in accordance with thepresent invention.

Referring to FIG. 4, an example security analysis schema 400 isillustrated in accordance with an aspect of the present invention. Thesecurity analysis schema 400 includes one or more XML elements 410through 440 (defined by starting and ending tags with (</> symbols),arranged in substantially any order) that relate to one or more securityitems or data and provide information to facilitate security guidelinesand configurations. Although not shown, the XML elements and associatedtags can also include attribute information if desired, wherein anattribute is a name-value pair associated with an element start tag(e.g., <topology=“PLC connected to gateway device having firewallprotection”>). The security analysis schema 400 can then be deployed tovarious systems and/or components to control/adapt network access basedupon the security contents specified therein.

Proceeding to 410, a recommendations element can be provided havingassociated recommendations data. This can include suggestions as to howto adapt automation components and network devices for suitable securitymeasures (e.g., in view of risk and cost criteria). In one example, asuggestion can be in the form of a statement “All real time controldevices and networks should only be connected to public networks viafront-end server having virus detection, intrusion detection, andvirtual private network capabilities.” In another example, “Remotefactory network devices must be identified, authorized, andauthenticated before achieving access to control network, otherwise,local factory network devices should communicate with low-end encryptiontechnologies.” As can be appreciated, a plurality of suchrecommendations can be provided. At 414, a topologies element can beprovided. This can include information on how to interconnect variousdevices and networks to achieve desired security goals (e.g., PLCconnects to router, router connects to factory server and protectedgateway . . . ). In another aspect, the topology data 414 can be in theform of symbols or codes that are employed to construct topology ornetwork maps/displays via a visual or other type application.

At 420, configuration data can be provided. This type of data caninclude settings or parameters for adapting network components withsuitable security measures (e.g., communications module word threeshould be set to value 03AA Hex for extended security checking, set dipswitch two on gateway to cause authentication and authorizationprocedures with outside network devices, install virus detectionsoftware on network server . . . ). In another aspect, the configurationdata can be sent or deployed to devices via the schema 400 and loaded tocause automatic configurations. At 424, an applications procedureelement can be provided having associated procedure data. Such data caninclude the types of security applications to load, any securityadjustments or settings relating to the applications, application statusinformation to verify, and procedures for correctly operating respectivesecurity applications to mitigate potential attacks or threats.

At 430, policy data can be provided. The policy can be general and/orspecific, applied system wide and/or to a device or subset of devices.For example location-based policies can be initiated (e.g., all networkrequests from listed URL's are to be denied, network requests fromPittsburgh server limited to 100 per day). Time-based policies can alsobe defined (e.g., no outside network requests allowed between 10:00 AMand 2:00 PM). Process-based policies can be defined such as for example,“Limit outside network requests to below 50 during real time batchoperations.” Other policies include load-based policies, whereby networkrequests that are responded to are regulated in accordance with anamount of desired network traffic (e.g., regulated according torequests/hour). Other policies may be related to the type of requests(e.g., all requests to write data to the PLC are to be denied, outsidedevices cannot update analog module configuration data, communicationsmodule to provide status data only). In general, substantially anypolicy that defines, regulates, and/or limits network activities in viewof security considerations can be employed with the present invention.

At 434, one or more security rules can be provided that have similareffects as the policies described above. For example, rules can beprovided in an If/Then construct (can include else, else if, Booleanexpressions and the like), wherein if a defined condition or conditionsoccur, then one or more listed actions result (can included nestedconstructs) (e.g., If more than 3 network access attempts are negotiatedunsuccessfully, then deny further communications with node or address).At 440, user procedure data can be provided. This can include actualprocedure data and/or links to databases or websites to acquire thedata. Such data can instruct users on suitable security procedures,security precautions, training, configurations, examples, wizards,manuals, trouble shooting, emergency contacts, contact information,maintenance, and the like which are designed to mitigate system securityproblems.

FIG. 5 illustrates a validation system 500, methodology, and validationtools 550, 560 in accordance with an aspect of the present invention.The validation tools 550 and 560 perform initial and periodic livesecurity assessment of a physical system. This enables security flaws orweaknesses to be identified. One aspect of the tools is to check thesystem 500 prior to proposed or attempted security modifications inorder to assess current security levels. Another aspect is to check thesystem 500 for conformance—to the recommendations of a security analysistool described above, and/or against standards such as ISO, for example.

The validation tools 550 and 560 can be executed on end devices 570(host based), and/or executed as an independent device 580 that isattached to a network 590 (network based) at selected points. Onefunction of the host-validation tool 550 is to perform vulnerabilityscanning and/or auditing on devices. This includes revision checks,improper configuration check, file system/registry/database permissionscheck, user privilege/password and/or account policy checks, forexample.

One function of the network validation tool 560 is to performvulnerability scanning and auditing on the networks 590. This includeschecking for susceptibility to common network-based attacks, searchingfor open TCP/UDP ports, and scanning for vulnerable network services.The tools 550 and 560 can also attempt to gain key identity informationabout end devices that may enable hacker entry.

Another function of the network validation tool 560 is to performvulnerability scanning and auditing on firewalls, routers, and/or othersecurity devices. In addition, a complementary tool can be provided toassess CIP-based factory automation systems for security (includessubstantially any factory protocol). This will typically be anetwork-based tool, since factory automation devices often are not ascapable as general purpose computing devices. The network validationtool 560 can also be operable in an assessment mode to discover systemflaws with little or no configuration, and the tool can operate in avalidation mode to check system security against security analysismethodology determinations described above. Still yet other functionscan include non-destructively mapping a topology of IT and automationdevices, checking revisions and configurations, checking userattributes, and/or checking access control lists. The validation toolsdescribed herein can also be adapted to automatically correct securityproblems (e.g., automatically adjust security parameters, install newsecurity components, remove suspicious components, and so forth). It isto be appreciated that one or more of the functions described herein forthe host validation tool 550 may be shared/interchanged with the networkvalidation tool 560, and visa versa.

Referring now to FIG. 6, a validation analyzer 600 is illustrated inaccordance with an aspect of the present invention. The validationanalyzer 600 can be a hardware device, computer, processor, application,and/or combination thereof that process one or more security data inputs610 such as can be received or communicated from a network (not shown).The security data inputs 610 include current security data, networkdata, audit data, device data, security analysis data, and/or other datathat can be derived from scanning or querying a network and associateddevices via the validation analyzer 600 for information regardingcurrent network security conditions. Various components can be providedwith the validation analyzer 600 to facilitate security monitoring andprocessing. In one aspect, an assessment component 620 can be provided.The assessment component 620 performs initial and/or periodic securitydeterminations on network systems to identify security deficiencies orproblems therein. For example, the assessment component 620 may comparea stored security configuration with a network configuration receivedfrom the security data inputs 610, flag such conditions, and/orinstitute further actions if differences are detected.

In another aspect, a standards component 624 can be provided to performsecurity compliance checking. This can include automated checking priorto proposed or attempted network security modifications in order toassess current security levels. Compliance checking can also includedetermining conformance to other automated security analysisrecommendations, conformance to applicable device/network securitystandards, and/or in accordance with predetermined or factory-specificstandards, for example. Such checking can be in accordance with storedstandards or procedures within the validation analyzer 600, or caninclude remote checking to such resources as network databases, websites, web services (e.g., databases linked to Internet ProtocolSecurity Standard, IEEE database). It is noted that the assessmentcomponent 620 and/or standards component 624 can initiate vulnerabilityscanning and/or auditing on devices/networks/systems. This can includerevision checks, improper configuration checks, filesystem/registry/database permissions checks, user privilege/passwordand/or account policy checks, checking for susceptibility tonetwork-based attacks, searching for open network ports, scanning forvulnerable network services, learning identity information about enddevices/users that may enable attack entry, performing vulnerabilityscanning and auditing on firewalls, routers, and/or other securitydevices or components, non-destructively mapping a topology of networkdevices, checking revisions and configurations, checking userattributes, and/or checking network/device access control lists. As canbe appreciated, such checking can include comparisons to local/remotedatabases or sites as noted above.

In yet another aspect of the present invention, a learning/analyzercomponent 628 can optionally be provided within the validation analyzer600. This component can be adapted to learn network, device, and/orsystem patterns, scan current network data, and process the currentnetwork data in accordance with the learned patterns to possiblyinitiate other automated actions. The learning/analyzer component 628will be described in more detail below with respect to FIGS. 7-9.

If a security issue or problem is detected by the assessment component620, standards component 624, and/or learning/analyzer component 628, aflag or event can be fired that triggers an automated action component650, wherein one or more automated security actions can be initiated.The automated security actions can include automatically correctingsecurity problems at 654 such as automatically adjusting securityparameters, altering network traffic patterns at 658 (e.g.,increasing/decreasing communications with a node), installing newsecurity components and/or removing/disabling suspicious components at662, firing alarms, and/or automatically notifying entities aboutdetected problems and/or concerns at 670, and/or generating securitydata at 674 such as generating an error or log file, generating aschema, generating data to re-configure or re-route network connections,updating a database or remote site, for example. As illustrated, thevalidation analyzer 600 can be configured and interacted with via a userinterface 680 having similar input and output functionality as describedabove with respect to the user interface depicted in FIG. 2.

FIG. 7 illustrates a security learning system 700 in accordance with anaspect of the present invention. The security learning system 700 thatcan include network-based aspects and/or host-based aspects and similarto some of the security aspects described above with respect to FIG. 5.A network-based security learning system 710 (also referred to aslearning component 710) is provided that monitors an automation network714 during a predetermined training period (e.g., monitor networkactivities for 1 month).

During the training period, the learning component 710 monitors andlearns activities or patterns such as:

-   -   The number of network requests to and from one or more assets        720;    -   the type of requests (e.g., read/write, role/identity of        person/system requesting access, time of requests);    -   status or counter data (e.g., network access counters, error        codes) which can be provided or queried from a learning or        status component 724 within the asset 720;        and/or    -   monitor and learn about substantially any data type or pattern        that may be retrieved from the network 714 and/or the asset 720.

Network activities can also include network requests that are receivedfrom outside networks 730 that may be routed through a security gatewayor server 734 before reaching the automation network 714.

After the training period, the learning component 710 monitors theautomation network 714 and/or assets 720 for detected deviations fromdata patterns learned during the training period. If desired, a userinterface (not shown) can be provided, wherein one or more patternthresholds can be adjusted (also can provide options for the type ofdata patterns to monitor/learn). For example, if the number of networkrequests to the asset 720 has been monitored and learned to be about1000 requests per hour during the past month, then a threshold can beset via the user interface that triggers an alarm or causes an automatedevent to occur if a deviation is detected outside of the threshold(e.g., automatically disable all network requests from the othernetworks 730 if the number of network requests to the asset 720 exceedsa set or determined percentage of the average daily network requestsdetected during the training period).

In one aspect, the learning component 710 and associated detectionparameters or thresholds can be provided as a network-based tool ortools that can reside at various portions of the automation network 714.In another aspect, the learning component can be provided as ahost-based component as illustrated at 724—depending on the resourcesavailable for the asset 720.

Various learning functions and/or processes can be provided tofacilitate automated learning within the learning components 710 and724. This can include mathematical processes, statistical processes,functions, and/or algorithms and include more elaborate systems such asa neural network, for example. In addition, artificial intelligencefunctions, components and/or processes can be provided. Such componentscan include automated classifiers for monitoring and learning datapatterns, wherein such classifiers include inference models, HiddenMarkov Models (HMM), Bayesian models, Support Vector Machines (SVM),vector-based models, decision trees, and the like.

FIG. 8 illustrates a learning component 800 in accordance with an aspectof the present invention. The learning component 800 can be configuredwith various data types, circuits, algorithms, applications, and soforth that are adapted to learn from data or events generated from atraining data set 810. The training data set 810 is derived bymonitoring network or device activities over a predetermined timeframe.Such activities include network events, network data, network deviceactivities, automations asset activities, and monitoring statusinformation, for example. The activities can also include network accesspatterns, network attempts, network sources, data transfer and exchangeactivities, network/device load considerations, time considerations, andlocation considerations, for example (e.g., what time does heaviestnetwork traffic occur, where do most network requests originate, whatregions do most hacking attempts originate).

In order to process the training data 810, the learning component 800includes one or more learning models 820 and/or learning variables 830.As noted above, the learning models 820 can include such aspects asneural network functions, inference models, mathematical models,statistical models, probabilistic models, classifiers, and so forth thatlearn network patterns or occurrences from the training data 810. It isalso noted that the learning models can be adapted similarly (e.g., allmodels configured as Hidden Markov Models) or adapted in variouscombinations (e.g., 40 models configured as a neural network, 3 modelsadapted in a Bayesian configuration, 1 model configured as avector-based classifier). The learning variables 830 can be focused onselected events or circumstances. For example, a network load variablemay record the average number of outside network requests per hour. Inanother example, a PLC variable may record the average number of networkretries that an associated PLC experiences in a given timeframe, whereasanother PLC variable records the maximum number of network retries thatthe PLC experienced during the same timeframe. In another aspect, thelearning variables 820 may be employed as counters to record amounts forvarious events (e.g., record the number of PLC network transfers to I/Odevice over the last hour). As can be appreciated, a plurality of suchvariables can be defined and updated to log various network eventsduring a selected training period. After training, the learningcomponent 810 stores learned patterns or events that are then employedby a learning analyzer component described below to monitor and detectnetwork security problems or identify potential security issues.

FIG. 9 illustrates a learning analyzer 900 in accordance with an aspectof the present invention. The learning analyzer 900 monitors currentnetwork and/or device data 910, determines whether the current data iswithin tolerance of historical data patterns that were previouslylearned/recorded, and initiates one or more automated actions 920 ifcurrent data 910 including trends derived therefrom are determinedoutside of the tolerance. These determinations can be achieved via acomparison analyzer 930 that compares learned data patterns with currentdata patterns 944 in accordance with threshold and/or range dataillustrated at 950. For example, a learned pattern 940 could be thatbetween 11:00 and 12:00, network load between four network devices isabout ten million data packet transfers. Thus, if a threshold 950 wereset for one million transfers, and if current data patterns 944 exceededmore than one million transfers above the learned data patterns 940 (tenmillion transfers during the selected period), then the comparisonanalyzer 930 would detect this overload (e.g., via subtraction ofcurrent and learned data, then comparing to threshold data) and initiatethe automated actions 920.

Similar to the validation components described above, the automatedactions 920 can include automatically correcting security problems suchas automatically adjusting security parameters, altering network trafficpatterns, installing new security components, removing/disablingsuspicious components, firing alarms, and/or automatically notifyingentities about detected problems and/or concerns among other actions,for example.

In another aspect, the threshold data 950 can include range data thusproviding upper and lower thresholds for given patterns. For example, arange can be specified to detect events that occur within or outside theselected range. In the example above, a range may have been specified asplus and minus one million transfers (do not have to be equidistantranges), thus if current data patterns were detected to be above elevenmillion or below nine million transfers, then an automated action 920would be initiated by the comparison analyzer 930 if current datapatterns were outside the selected range of 10 million, +/−1 milliontransfers. As can be appreciated, a plurality of thresholds and/orranges 950 can be specified. In addition, the threshold and range data950 can be specified in various formats (e.g., in accordance withstandard deviation), and can include dynamically adjustable thresholdsor ranges (e.g., set threshold high in the morning and lower in theafternoon, change threshold according to real time processingrequirements).

As illustrated, the comparison analyzer 930 can also monitor, analyze,and detect deviations of stored variables 960 and current variables 964in view of the threshold and range data 950. A user interface 970,having similar display/input functionality as previously described, canbe provided to specify/adjust the threshold and/or range data 950. Theuser interface 970 can also interact with and control the learninganalyzer 900 (e.g., set threshold or ranges, add, remove, adjustlearning models, view analyzer status, configure automated actions,monitor variables, adjust variables, generate security reports and thelike).

FIGS. 10-12 illustrate security methodologies in accordance with anaspect the present invention. While, for purposes of simplicity ofexplanation, the methodologies are shown and described as a series ofacts, it is to be understood and appreciated that the present inventionis not limited by the order of acts, as some acts may, in accordancewith the present invention, occur in different orders and/orconcurrently with other acts from that shown and described herein. Forexample, those skilled in the art will understand and appreciate that amethodology could alternatively be represented as a series ofinterrelated states or events, such as in a state diagram. Moreover, notall illustrated acts may be required to implement a methodology inaccordance with the present invention.

FIG. 10 illustrates a security analysis process 1000 in accordance withan aspect of the present invention. Proceeding to 1010, factorydescriptions of automation assets, network devices, network topologies,and/or other factory data are generated. Such data can include anabstract description of a factory, models, equations, maps, and networkpathways to access the automation assets. The descriptions can alsoinclude risk data, cost data, security data from other security tools,and partitioning or user data, for example. At 1018, the factorydescriptions are processed such as via an object, application, securityengine, ASIC, computer, web service, and so forth.

At 1022, security output data is determined in accordance with thefactory descriptions and processing described above. The security outputdata can include a set or subset of recommended security components,codes, parameters, settings, related interconnection topology,connection configurations, application procedures, security policies,rules, user procedures, and/or user practices, for example, as notedabove. At 1026, security output data is generated that can beautomatically deployed to one or more entities such as users or devicesin order to implement various security measures within an automationenvironment (e.g., data file or schema generated to automaticallyconfigure devices, provide user training and precautions, providesecurity configurations and topologies). At 1030, when the securityoutput data has been disseminated, entities employ the security data tomitigate network security issues such as unwanted network access and/ornetwork attack.

FIG. 11 illustrates a security validation process 1100 in accordancewith an aspect of the present invention and includes host-based and/ornetwork based processing as noted above. Proceeding to 1110, securityassessments are performed. This can include initial and/or periodic livesecurity assessment of a physical system to identify security flaws orweaknesses. At 1122, security compliance tests are performed. This caninclude automated checking prior to proposed or attempted networksecurity modifications in order to assess current security levels.Compliance checking can also include determining conformance to otherautomated security analysis recommendations, conformance to applicabledevice/network security standards, and/or in accordance withpredetermined or factory-specific guidelines, for example.

At 1126, vulnerability scanning and/or auditing on devices/networks isperformed. This includes revision checks, improper configuration checks,file system/registry/database permissions checks, userprivilege/password and/or account policy checks, checking forsusceptibility to common network-based attacks, searching for opennetwork ports, scanning for vulnerable network services, learningidentity information about end devices/users that may enable hackerentry, performing vulnerability scanning and auditing on firewalls,routers, and/or other security devices, non-destructively mapping atopology of IT and automation devices, checking revisions andconfigurations, checking user attributes, and/or checking access controllists. At 1124, a determination is made as to whether security issueshave been detected such as in accordance with the assessments,compliance testing, and scanning/auditing described above. If nosecurity issues are detected at 1124, the process proceeds back to 1110.If security issues are detected at 1130, the process proceeds to 1134.At 1134, one or more automated security actions are performed tomitigate security threats. This can include automatically correctingsecurity problems such as automatically adjusting security parameters,altering network traffic patterns, installing new security components,removing suspicious components, firing alarms, and/or automaticallynotifying entities about detected problems and/or suspicions. Afterautomated processing at 1134, the process proceeds back to 1110 forfurther security processing, analysis, scanning, and detection.

FIG. 12 illustrates a security learning and detection process 1200 inaccordance with an aspect of the present invention and can also includenetwork-based aspects and/or host-based aspects as noted above. At 1210,one or more learning components such as learning models, learningsystems, parameters, and/or variables are defined that describe variousnetwork and/or system properties. Such components can be adapted todetermine statistical or pattern information regarding network andsystem activities. This information can include the number, quantity oraverage of network requests to and from one or more assets or networkdevices, the type of requests (e.g., read/write, role/identity ofperson/system requesting access, time of requests, location ofrequests), status or counter data (e.g., network access counters, errorcodes), and/or substantially any data type or pattern that may beretrieved from a network, automation asset, or network device. At 1214,system learning is performed. This includes monitoring an automationnetwork during a predetermined training period, wherein the learningcomponents described above acquire information about network, system,user, and/or device activities during the training period. For example,a counter variable may learn the average number of network requests thatare sent to an automation asset in a given time period (can also beother statistical measures than average). In another example, anintelligent component such as a Bayesian inference model, probabilitydetermination, or neural network learns patterns such as “Duringheaviest network loads, the PLC responds to 25% fewer requests, andduring real time processing operations, 35% fewer requests for a maximumof 23 requests per minute processed during such periods, +/−1 standarddeviation.”

After the training period at 1214, learned patterns are compared tocurrent data patterns in view of predetermined threshold or rangesettings at 1218. For example, if the mean number of factory networkpackets transmitted is learned to be about 20,000 bytes per/second,+/−5000 bytes, and a range is set up so that if network traffic goesabove 26,000 bytes per second or below 10,000 bytes per second, thensystem security performance is considered acceptable as long as networktraffic remains in the selected range. It is noted thatthresholds/ranges can be set according to user desires, automateddeterminations, and/or according to the amount of risk and/or costs thatare deemed acceptable (e.g., for lesser amount of security risk, setthresholds closer to learned patterns).

At 1224, a determination is made as to whether or not deviations weredetected from learned data patterns at 1218. If no deviations aredetected, the process proceeds back to 1218 for further comparisonprocessing. If deviations are detected at 1224, then one or moreautomated actions may be performed. Similar to the process describedabove, this can include automatically correcting security problems suchas automatically adjusting security parameters, altering network trafficpatterns, installing new security components, removing suspiciouscomponents, firing alarms, and/or automatically notifying entities aboutdetected problems and/or suspicions (e.g., sending an e-mail, alerting apager, calling a number, generating a file, sounding an alarm,interrupting a web session, opening an instant messaging service, and soforth). After automated processing at 1228, the process proceeds back to1224 for further security processing, comparison, and detection.

What has been described above are preferred aspects of the presentinvention. It is, of course, not possible to describe every conceivablecombination of components or methodologies for purposes of describingthe present invention, but one of ordinary skill in the art willrecognize that many further combinations and permutations of the presentinvention are possible. Accordingly, the present invention is intendedto embrace all such alterations, modifications and variations that fallwithin the spirit and scope of the appended claims.

What is claimed is:
 1. A system for providing security on an industrial network, comprising: a memory that stores computer-executable components; and a processor, operatively coupled to the memory, that executes the computer-executable components, the computer-executable components comprising: a learning component configured to determine a first pattern of data communication between an industrial controller and an industrial asset device based on monitoring of data exchanged between the industrial controller and the industrial asset device via an automation network during a training period; and an analyzer component configured to determine a second pattern of data communication based on monitoring of the data exchanged between the industrial controller and the industrial asset device subsequent to the training period, and to generate a security output in response to a determination that the second pattern of data communication deviates from the first pattern of data communication in excess of a defined deviation threshold, wherein the security output is configured to alter a network traffic pattern between the industrial controller and the industrial asset device.
 2. The system of claim 1, further comprising an interface component configured to receive input that modifies the defined deviation threshold.
 3. The system of claim 1, wherein the security output is configured to disable network requests to access the industrial controller from another network that is different than the automation network.
 4. The system of claim 1, wherein the data comprises at least one of input data received by the industrial controller from the industrial asset device and stored in an I/O memory space of the industrial controller or output data written to the I/O memory space by the industrial controller and sent to the industrial asset device.
 5. The system of claim 1, wherein the learning component is further configured to determine a first average number of network retries performed by the industrial controller during the training period, and the analyzer component is further configured to generate another security output in response to determining that a second average number of network retries performed by the industrial controller subsequent to the training period exceeds the first average number of network retries in excess of a tolerance.
 6. The system of claim 1, wherein the first pattern of data communication comprises an average number of data packet transfers between the industrial controller and the industrial asset device during a daily range of time.
 7. The system of claim 1, wherein the security output is further configured to adjust a security parameter on at least one of the industrial controller, the industrial asset device, or a network device on the automation network.
 8. The system of claim 1, wherein the analyzer component is further configured to set the security output based on model data that models the industrial controller, the industrial asset device, and one or more network pathways to at least one of the industrial controller or the industrial asset device.
 9. The system of claim 8, wherein the analyzer is further configured to generate, based on analysis of the model, a recommendation output specifying a recommendation for implementing a security countermeasure for an industrial system comprising the industrial controller and the industrial asset device.
 10. The system of claim 9, wherein the recommendation output specifies at least one of a recommended network architecture, a recommendation to connect an identified device of the industrial system to a router, or a recommended security component to be installed on an identified device of the industrial system.
 11. A method for implementing industrial network security, comprising: monitoring, by a system comprising a processor, first data exchange activity between an industrial controller and an industrial asset via a plant network during a training period; determining, by the system based on the monitoring of the first data exchange activity, a first pattern of data communication between an industrial controller and an industrial asset device; monitoring, by the system, second data exchange activity between the industrial controller and the industrial asset via the plant network subsequent to the training period; determining, by the system based on the monitoring of the second data exchange activity, a second pattern of data communication between the industrial controller and the industrial asset device; and in response to determining that the second pattern of data communication deviates from the first pattern of data communication in excess of a defined tolerance, generating a security output configured to alter a network traffic pattern between the industrial controller and the industrial asset device.
 12. The method of claim 11, wherein the generating the security output comprises configuring the security output to disable network requests for access to the industrial controller originating from another network that is different than the plant network.
 13. The method of claim 11, wherein the monitoring the first data exchange activity comprises monitoring at least one of input data received by the industrial controller from the industrial asset device and stored in an I/O memory space of the industrial controller or output data written to the I/O memory space by the industrial controller and sent to the industrial asset device.
 14. The method of claim 11, further comprising: determining, based on monitoring of a data register stored on the industrial controller, a first average number of network retries performed by the industrial controller during the training period; and generating another security output in response to determining that a second average number of network retries performed by the industrial controller subsequent to the training period exceeds the first average number of network retries in excess of the defined tolerance.
 15. The method of claim 11, wherein the determining the first pattern of data communication comprises determining an average number of data packet transfers between the industrial controller and the industrial asset device during a daily range of time.
 16. The method of claim 11, wherein the generating the security output comprises configuring the security output to adjust a security parameter of at least one of the industrial controller, the industrial asset device, or a network device on the plant network.
 17. The method of claim 11, wherein the generating the security output comprises configuring the security output based on model information that models the industrial controller, the industrial asset device, and one or more network pathways to at least one of the industrial controller or the industrial asset device.
 18. A non-transitory computer-readable medium having stored thereon instructions that, in response to execution, cause a security analysis system comprising a processor to perform operations, the operations comprising: determining a first pattern of data communication between an industrial controller and an industrial asset based on monitoring of first data exchanged between the industrial controller and the industrial asset device via an industrial network during a training period; determining a second pattern of data communication based on monitoring of second data exchanged between the industrial controller and the industrial asset device after the training period; and generating a security output in response to a determination that the second pattern of data communication deviates from the first pattern of data communication in excess of a defined tolerance, wherein the security output is configured to alter a network traffic pattern between the industrial controller and the industrial asset device.
 19. The non-transitory computer-readable medium of claim 18, wherein the generating comprises configuring the security output to disable network requests for access to the industrial controller originating from another network that is different than the automation network.
 20. The -transitory computer-readable medium of claim 18, wherein the generating comprises configuring the security output to adjust a security parameter on at least one of the industrial controller, the industrial asset device, or a network device on the industrial network. 